ANALYSIS BY

OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware

This malware was involved in the March 2016 compromise of a popular bittorent client website, where it was passed off as a legitimate upgrade installer. The first ransomware to exclusively target OSX machines, users affected by this malware may find their important files and documents useless and unopenable.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information.

TECHNICAL DETAILS

File Size:

1269584 bytes

File Type:

Mach-O

File Compression:

UPX

Memory Resident:

Yes

Payload:

Encrypts files

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

~/Library/.kernel_complete

~/Library/.kernel_time

~/Library/.kernel_pid

It drops the following component file(s):

~/Library/kernel_service (detected as Ransom_KeRanger.A)

Other Details

This Trojan connects to the following website to send and receive information:

{BLOCKED}6kvohlkcml.onion.link

{BLOCKED}6kvohlkcml.{BLOCKED}n.nu

{BLOCKED}mea723xyaz.{BLOCKED}n.link

{BLOCKED}mea723xyaz.{BLOCKED}n.nu

{BLOCKED}ok7oz5kjoc.{BLOCKED}n.link

{BLOCKED}k7oz5kjoc.{BLOCKED}n.nu

It renames encrypted files using the following names:

{original filename}.encrypted

NOTES:

It encrypts the files found in the following directories:

/Users/

/Volumes/

It encrypts all files found in the /Users/ directory.

It encrypts the files in the /Volumes/ directory that contain the following file extensions:

.3dm

.3ds

.3g2

.3gp

.7z

.ab4

.accdb

.accde

.accdr

.accdt

.ach

.acr

.act

.adb

.ads

.ai

.ait

.al

.apj

.arw

.asf

.asm

.asp

.asx

.avi

.back

.backup

.bak

.bank

.bay

.bdb

.bgt

.bik

.bkf

.bkp

.blend

.bpw

.c

.cdb

.cdf

.cdr

.cdx

.ce1

.ce2

.cer

.cfp

.cgm

.class

.cls

.cmt

.cnv

.cpi

.cpp

.cr2

.craw

.crt

.crw

.cs

.csh

.csl

.csv

.dac

.db

.db3

.dbf

.dbr

.dbs

.dc2

.dcr

.dcs

.dcx

.ddd

.ddoc

.dds

.der

.des

.design

.dgc

.djvu

.dng

.doc

.docm

.docx

.dot

.dotm

.dotx

.drf

.drw

.dtd

.dwg

.dxb

.dxf

.dxg

.ebd

.edb

.eml

.eps

.erf

.exf

.fdb

.ffd

.fff

.fh

.fhd

.fla

.flac

.flv

.fm

.fp7

.fpx

.fxg

.gdb

.gray

.grey

.grw

.gry

.h

.hbk

.hpp

.ibd

.idx

.iif

.indd

.java

.jpe

.jpeg

.jpg

.kdbx

.kdc

.key

.laccdb

.lua

.m

.m4v

.maf

.mam

.maq

.mar

.maw

.max

.mdb

.mdc

.mde

.mdf

.mdt

.mef

.mfw

.mmw

.mos

.mov

.mp3

.mp4

.mpg

.mpp

.mrw

.mso

.myd

.ndd

.nef

.nk2

.nrw

.ns2

.ns3

.ns4

.nsd

.nsf

.nsg

.nsh

.nwb

.nx1

.nx2

.nyf

.obj

.odb

.odc

.odf

.odg

.odm

.odp

.ods

.odt

.oil

.one

.orf

.otg

.oth

.otp

.ots

.ott

.p12

.p7b

.p7c

.pages

.pas

.pat

.pbo

.pcd

.pct

.pdb

.pdd

.pdf

.pef

.pem

.pfx

.php

.pip

.pl

.plc

.pot

.potm

.potx

.ppam

.pps

.ppsm

.ppsx

.ppt

.pptm

.pptx

.prf

.ps

.psafe3

.psd

.pspimage

.ptx

.pub

.puz

.py

.qba

.qbb

.qbm

.qbw

.qbx

.r3d

.raf

.rar

.rat

.raw

.rdb

.rm

.rtf

.rwz

.sas7bdat

.say

.sd0

.sda

.sdf

.snp

.sql

.sr2

.srf

.srt

.srw

.st4

.st5

.st6

.st7

.st8

.stc

.std

.sti

.stw

.stx

.svg

.swf

.sxc

.sxd

.sxg

.sxi

.sxm

.sxw

.tex

.tga

.thm

.tlg

.txt

.vob

.vsd

.vsx

.vtx

.wav

.wb2

.wbk

.wdb

.wll

.wmv

.wpd

.wps

.x11

.x3f

.xla

.xlam

.xlb

.xlc

.xlk

.xll

.xlm

.xlr

.xls

.xlsb

.xlsm

.xlsx

.xlt

.xltm

.xltx

.xlw

.xpp

.xsn

.yuv

.zip

.tar

.tgz

.gzip

.tib

.sparsebundle

It drops the ransom note on directories where it is able to encrypt files.

Its ransom note is saved using the following names:

README_FOR_DECRYPT.txt

The contents of the ransom note is downloaded from the C&C server.

The contents of the ransom note, as of this writing, contains the following:

SOLUTION

Minimum Scan Engine:

9.800

Step 1

Scan your computer with your Trend Micro product to delete files detected as RANSOM_KERANGER.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.